11398 questions

13582 answers

21280 comments

31962 members

0 votes
489 views 11 comments
by
Hi,
I have the same Problem like in https://community.teltonika-networks.com/16900/rut955-and-openvpn-error-tls-handshake-failed right now, but there no solution was provided so I opened a new ticket. I have a RUT955 with firmware version RUT9_R_00.07.00.2.

Iam trying to establish an openVPN connection, where Rut955 is the server.

I followed this manual https://wiki.ubuntuusers.de/OpenVPN/ to create certificates and keys for my ubuntu client and the server. (I tried before to generate the certificates via the router and use these but with no success as well)

I uploaded the ca cert, the server key and server cert and the diffi Hellman key to the router.

I created a ovpn file for my client and tried to connect to VPN but it failes with an TLS error.

sudo openvpn --config ~/client-configs/MAP1.ovpn
Thu Nov 18 07:16:51 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Thu Nov 18 07:16:51 2021 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Thu Nov 18 07:16:51 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov 18 07:16:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:1194
Thu Nov 18 07:16:51 2021 Socket Buffers: R=[262144->262144] S=[262144->262144]
Thu Nov 18 07:16:51 2021 UDP link local: (not bound)
Thu Nov 18 07:16:51 2021 UDP link remote: [AF_INET]192.168.1.1:1194
Thu Nov 18 07:16:51 2021 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Nov 18 07:17:51 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Nov 18 07:17:51 2021 TLS Error: TLS handshake failed
Thu Nov 18 07:17:51 2021 SIGUSR1[soft,tls-error] received, process restarting
Thu Nov 18 07:17:51 2021 Restart pause, 5 second(s)

I added the troubleshoot files.
Can someone help me please?
by
My ovpn file looks like this:

client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote 192.168.1.1 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca /home/bpajunk/openvpn/pki/ca.crt
cert /home/bpajunk/openvpn/pki/issued/openvpn-client1.crt
key /home/bpajunk/openvpn/pki/private/openvpn-client1.key

#remote-cert-tls server

;tls-auth ta.key 1

;cipher AES-256-CBC
cipher AES-256-GCM
auth SHA256

key-direction 1

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf

 script-security 2
 up /etc/openvpn/update-systemd-resolved
 down /etc/openvpn/update-systemd-resolved
 down-pre
 dhcp-option DOMAIN-ROUTE .

verb 3

;mute 20
by

My router OpenVPN settings are like this:

1 Answer

0 votes
by
Try to see here https://wiki.teltonika-networks.com/view/RUT955_VPN#OpenVPN

You clearly have a problem with the certificate. The easiest way is to create certificates on the router and download the necessary files to use them on the client.

Regards.
Best answer
by



when I generate certificates via the router I get pem files.

when I setup the VPN connection and select certificates from device, he uses the pem files as keys but cant find certs.

Do I need to download the created pem files, convert them via openssl to .crt  as certificates and import them again to the router or can I do this from within the router?

by
No need to convert anything. Try just renaming the files to *.crt

Or make a set of certificates according to your instructions. Use the same set of certificates on the server and client.

Regards
by

So again I tried with the certificates generated from the router.

I created a
client.key.pem
server.key.pem
ca.key.pem
ph.pem

on the router. As I didn't see a way to generate .crt out of these files directly on the router, I downloaded the mentioned files.
 

I made a ca.crt from the pem:

openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 1024 -out ca.crt


made a signed crt from the server.key.pem

openssl req -new -key server.key.pem -out server.csr

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key.pem -CAcreateserial -out servre.crt -days 500 -sha256

p { margin-bottom: 0.1in; line-height: 115%; background: transparent }a:link { color: #000080; so-language: zxx; text-decoration: underline }

p { margin-bottom: 0.1in; line-height: 115%; background: transparent }a:link { color: #000080; so-language: zxx; text-decoration: underline }same with the client.key.pem


I uploaded the ca.crt and the (missspelled) servre.crt to the router and added them to the vpn settings.


I imported the client.key.pem, client.crt and ca.crt to my vpn manager on the ubuntu gui but when I try to connect, I still fail.


 

by
and just renaming the pem files is not working. They only contain the key. If I rename them as .crt and upload them o the router they appear at the key section, non the less the end changed
by

now I followed this tutorial https://wiki.teltonika-networks.com/view/How_to_generate_TLS_certificates_(Windows)%3F
to create the certificates and uploaded tthem on the router and on the client and I still have the TLS Handshake problem.

in all my tries the status of the is disabled - is this normal? I assumed it would tell me if someone is connected, but if its meening is that the vpn server is not started, could you tell me what the reasons could be?

by
This instruction is correct https://wiki.teltonika-networks.com/view/How_to_generate_TLS_certificates_ (Windows)%3F

It only lacks information about generating a CRL file and a ta key. You will need TA if you decide to enable "Additional HMAC authentication".

According to your screenshot, I can say that you turned on the VPN, but did not click "Save&Apply".

After saving, the state changes first to Active.
by
Ok that was the reason. I didn't clicked Save&Apply.

Now I can connect.

Thank you and Sorry!
by
You are welcome. Have a nice day.
by
for people who have a similar problem -
Another problem I encountered was that the NTP server of the router was not correct after restarting the router. (This seems to be a problem when the router has no internet connection).

The system time of the router was in the past, so that the certificates were not valid and the TLS handshake failed.

So after startup make sure the router has a synchronized time!